[tor-project] The Akamai slide Alec posted

Ian Goldberg tor at cypherpunks.ca
Fri May 20 16:59:00 UTC 2016


On Fri, May 20, 2016 at 09:55:05AM -0700, David Fifield wrote:
> On Fri, May 20, 2016 at 08:56:06AM -0400, Ian Goldberg wrote:
> > Does anyone know where we can get more information about the stats
> > behind this slide:
> > 
> > https://twitter.com/AlecMuffett/status/730773970383982592
> > 
> > The slide says:
> > 
> > 1:11,500 non-Tor IPs contained malicious requests
> > 1:380 Tor exit nodes contained malicious requests
> > 
> > The way it's worded, it sounds like they're saying "1/11500 of the
> > non-Tor IP addresses we saw sent malicious requests, and 1/380 of the
> > Tor exit node IP addresses we saw sent malicious requests", but I'm
> > finding that hard to believe, since 1/380 of the Tor exit node IP
> > addresses is ~3 IP addresses.  It's unlikely that all malicious Tor
> > traffic was confined to 3 exit nodes.  (But interesting if true.)
> > 
> > Were they perhaps being a little loose and really meant "1/11500 TCP
> > connections coming from non-Tor IP addresses, and 1/380 TCP connections
> > coming from Tor exit nodes, contained malicious requests"?
> 
> There's an actual written report (Sadia Afroz found the link to the
> report). The Tor part starts on page 59.
> 
> https://www.stateoftheinternet.com/downloads/pdfs/2015-cloud-security-report-q2.pdf#59
> 
> Here are the relevant tables. The heading "Global Rank" in Figure 4-2 is
> probably supposed to be "Source". The percentages in Figure 4-4 are off
> by a factor of 100; i.e. 1/380=0.0026=0.26%.
> 
> The first two figures, 4-2 and 4-3, are explicitly in terms of requests.
> Figure 4-4 is a ratio between two "traffic" values but the caption
> refers to requests.
> 
> Global Rank	Legitimate HTTP Requests	Frequency
> Non-Tor IPs	534,999,725,930			99.96%
> Tor exit nodes	228,436,820			00.04%
> Figure 4-2: Of the legitimate HTTP requests, excluding static media
> files, less than 1% were from Tor exit notes 
> 
> Source		Legitimate HTTP Requests	Frequency
> Non-Tor IPs	46,530,841			98.74%
> Tor exit nodes	596,042				1.26%
> Figure 4-3: Of the malicious HTTP requests, 1.26% were from Tor exit
> notes
> 
> Source		Ratio Between Malicious & Legitimate Traffic	Frequency
> Non-Tor IPs	0.00008697% malicious traffic			~1:11,500
> Tor exit nodes	0.00260922% malicious traffic			~1:380
> Figure 4-4: Though the traffic levels are much smaller, Tor exit nodes
> were much more likely to contain malicious requests

Cool, thanks!

   - Ian


More information about the tor-project mailing list